b'Department of Health and Human Services\n                   OFFICE OF\n              INSPECTOR GENERAL\n\n\n\n\n PENETRATION TEST OF THE INDIAN\n   HEALTH SERVICE\xe2\x80\x99S COMPUTER\n           NETWORK\n\n\n\n\n   Inquiries about this report may be addressed to the Office of Public Affairs\n                          at Public.Affairs@oig.hhs.gov.\n\n\n\n\n                                        Thomas M. Salmon\n                                     Assistant Inspector General\n\n                                              March 2014\n                                             A-18-13-30330\n\x0c                    Office of Inspector General\n                                     https://oig.hhs.gov\n\n\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as\namended, is to protect the integrity of the Department of Health and Human Services (HHS)\nprograms, as well as the health and welfare of beneficiaries served by those programs. This\nstatutory mission is carried out through a nationwide network of audits, investigations, and\ninspections conducted by the following operating components:\n\nOffice of Audit Services\n\nThe Office of Audit Services (OAS) provides auditing services for HHS, either by conducting\naudits with its own audit resources or by overseeing audit work done by others. Audits examine\nthe performance of HHS programs and/or its grantees and contractors in carrying out their\nrespective responsibilities and are intended to provide independent assessments of HHS\nprograms and operations. These assessments help reduce waste, abuse, and mismanagement and\npromote economy and efficiency throughout HHS.\n\nOffice of Evaluation and Inspections\nThe Office of Evaluation and Inspections (OEI) conducts national evaluations to provide HHS,\nCongress, and the public with timely, useful, and reliable information on significant issues.\nThese evaluations focus on preventing fraud, waste, or abuse and promoting economy,\nefficiency, and effectiveness of departmental programs. To promote impact, OEI reports also\npresent practical recommendations for improving program operations.\n\nOffice of Investigations\nThe Office of Investigations (OI) conducts criminal, civil, and administrative investigations of\nfraud and misconduct related to HHS programs, operations, and beneficiaries. With\ninvestigators working in all 50 States and the District of Columbia, OI utilizes its resources by\nactively coordinating with the Department of Justice and other Federal, State, and local law\nenforcement authorities. The investigative efforts of OI often lead to criminal convictions,\nadministrative sanctions, and/or civil monetary penalties.\n\nOffice of Counsel to the Inspector General\nThe Office of Counsel to the Inspector General (OCIG) provides general legal services to OIG,\nrendering advice and opinions on HHS programs and operations and providing all legal support\nfor OIG\xe2\x80\x99s internal operations. OCIG represents OIG in all civil and administrative fraud and\nabuse cases involving HHS programs, including False Claims Act, program exclusion, and civil\nmonetary penalty cases. In connection with these cases, OCIG also negotiates and monitors\ncorporate integrity agreements. OCIG renders advisory opinions, issues compliance program\nguidance, publishes fraud alerts, and provides other guidance to the health care industry\nconcerning the anti-kickback statute and other OIG enforcement authorities.\n\x0c                         Notices\n\n\n    THIS REPORT IS AVAILABLE TO THE PUBLIC\n              at http://oig.hhs.gov\n\n Section 8L of the Inspector General Act, 5 U.S.C. App., requires\n that OIG post its publicly available reports on the OIG Web site.\n\nOFFICE OF AUDIT SERVICES FINDINGS AND OPINIONS\n\n The designation of financial or management practices as\n questionable, a recommendation for the disallowance of costs\n incurred or claimed, and any other conclusions and\n recommendations in this report represent the findings and\n opinions of OAS. Authorized officials of the HHS operating\n divisions will make final determination on these matters.\n\x0c The Indian Health Service needs to address cyber vulnerabilities on its computer\n network.\n\nThis report provides an overview of the results of our penetration test of the Indian Health\nService\xe2\x80\x99s (IHS) computer network. It does not include specific details of the vulnerabilities that\nwe identified due to the sensitive nature of the information. We have provided more detailed\ninformation and recommendations to IHS so that it can address the issues we identified.\n\nWHY WE DID THIS REVIEW\n\nComputer hackers are increasingly attempting to compromise Government systems, publish\nsensitive data, and use stolen data to commit fraud. Threats to Federal agency Web applications\nare continually changing because of advances made by hackers, the release of new technology,\nand the deployment of increasingly complex systems. Web sites that are not secured properly\ncreate vulnerabilities that could be exploited by an unauthorized user to compromise the\nconfidentiality of sensitive information. Furthermore, cyber attacks through targeted email\nmessages constitute the vast majority of attacks on Federal and private sector networks,\naccording to Federal data. These attacks could significantly impact the operations of Federal\nagencies and expose sensitive data.\n\nPreviously, in 2011, we conducted a separate information technology (IT) general controls audit\nof the IHS\xe2\x80\x99s network security controls and found that such controls were inadequate. The\nsecurity vulnerabilities identified presented an increased risk that unauthorized individuals could\ngain access to the IHS network and potentially to the U.S. Department of Health and Human\nServices (HHS) network. Therefore, in June 2013, we decided to conduct further testing of the\neffectiveness of IHS\xe2\x80\x99s network security controls by performing an external network penetration\ntest. The objective of this review was to determine whether IHS network systems were\nsusceptible to compromise by cyber attacks.\n\nBACKGROUND\n\nPenetration tests are used to identify methods of gaining access to a system by using tools and\ntechniques that attackers use. This audit was the first of a series of OIG audits planned to\ninclude penetration testing of HHS and its operating division\xe2\x80\x99s networks.\n\nIHS, which is 1 of 12 HHS operating divisions, provides health services directly through tribally\ncontracted and operated health programs and through services purchased from private providers.\nThe Federal system consists of 28 hospitals, 61 health centers, and 34 health stations. In\naddition, 33 urban Indian health projects provide a variety of health and referral services.\nProtecting beneficiaries\xe2\x80\x99 and providers\xe2\x80\x99 personally identifiable information and personal health\ninformation is critical because fraud perpetrators often use stolen beneficiary or physician\nidentities, or both, to submit false claims to the programs.\n\n\n\n\nPenetration Test of the Indian Health Service\xe2\x80\x99s Computer Network (A-18-13-30330)                     1\n\x0cHOW WE CONDUCTED THIS REVIEW\n\nWe assessed the IHS network\xe2\x80\x99s exposure to cyber attacks by performing a penetration test of its\nnetworks and information systems. We conducted the penetration test from June 10 through 14,\n2013, with the knowledge and permission of IHS officials. We requested that IHS incident\nresponse staff not be notified of our testing to assess the effectiveness of IHS\xe2\x80\x99s intrusion\ndetection and response controls. Appendix A contains a summary of our audit scope and\nmethodology.\n\nRisk Level Definitions for Findings\n\nTo assign risk levels (i.e., High, Medium, Low) to our findings, we used Table 3-7, \xe2\x80\x9cRisk Scale\nand Necessary Actions,\xe2\x80\x9d of the National Institute of Standards and Technology (NIST) Special\nPublication (SP) 800-30, Risk Management Guide for Information Technology Systems, which\ndescribes the need for corrective actions and the relative timeframes in which they must occur\nbased on high, medium, and low levels of risk associated with system vulnerabilities. Appendix\nB contains the table.\n\nWHAT WE FOUND\n\nOverall, the IHS needs to address cyber vulnerabilities on its computer network. Specifically,\nwe were able to obtain unauthorized access to an IHS Web server and an IHS computer.\n\n    \xe2\x80\xa2   We were able to gain unauthorized access to an IHS Web server, which allowed us to\n        access the internal IHS network and obtain user account and password data on the\n        system, including user names and passwords to IHS databases (High Risk).\n\n    \xe2\x80\xa2   We were able to take control of an IHS computer, which allowed access to the\n        computer\xe2\x80\x99s resources, including records in the file system (Medium Risk).\n\nDue to the sensitive nature of the specific findings identified during our testing, only a summary\nof the findings are included in this report. We have provided more detailed, technical findings to\nIHS.\n\nWHAT WE RECOMMEND\n\nWe made 6 recommendations to IHS to address the security vulnerabilities that we identified. In\ngeneral, we recommended that IHS fix the vulnerability on the IHS Web server, implement more\neffective procedures to protect its computer systems from cyber attacks, and periodically\nmeasure adherence to IHS security policies and procedures.\n\nThis report summarizes our recommendations due to the sensitive nature of the information\ndiscussed. We have provided more detailed recommendations to IHS.\n\n\n\n\nPenetration Test of the Indian Health Service\xe2\x80\x99s Computer Network (A-18-13-30330)                     2\n\x0cAUDITEE COMMENTS\n\nIn written comments to our draft report, IHS concurred with all of our recommendations and\ndescribed the actions they will take to implement them.\n\n\n\n\nPenetration Test of the Indian Health Service\xe2\x80\x99s Computer Network (A-18-13-30330)             3\n\x0c                       APPENDIX A: AUDIT SCOPE AND METHODOLOGY\n\nSCOPE\n\nWe focused our audit on the IHS network and Web sites in operation during the period June 10\nthrough 14, 2013. We did not review IHS\xe2\x80\x99s overall internal control structure. We performed our\ntesting from OIG facilities.\n\nMETHODOLOGY\n\nTo accomplish our objectives, we prepared a Rules of Engagement document that outlined the\ngeneral rules, logistics, and expectations for the penetration test and obtained signatures from\nboth IHS and OIG management. Afterwards, we performed the following procedures:\n\n      \xe2\x80\xa2    conducted information-gathering techniques to discover the following for IHS:\n\n           o    network address ranges,\n           o    host 5 names,\n           o    exposed hosts,\n           o    applications running on exposed hosts,\n           o    operating system and application version information,\n           o    current patch levels of the hosts and applications,\n           o    structure of the applications and supporting servers, and\n           o    domain name server records;\n\n      \xe2\x80\xa2    conducted vulnerability analysis techniques to discover possible methods of attack;\n\n      \xe2\x80\xa2    exploited vulnerabilities identified in the vulnerability analysis to attempt to gain root or\n           administrator-level access to the target systems or other trusted user account access;\n\n      \xe2\x80\xa2    used advanced techniques to gain access to an IHS computer system and attempted to\n           gain a persistent foothold into the network and to escalate user privileges; and\n\n      \xe2\x80\xa2    discussed our findings with IHS management.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objectives.\n\n\n\n\n5\n    A host is any device connected to a computer network.\n\n\nPenetration Test of the Indian Health Service\xe2\x80\x99s Computer Network (A-18-13-30330)                           4\n\x0c                 APPENDIX B: RISK SCALE AND NECESSARY ACTIONS\n\n\n\nRisk Level          Risk Description and Necessary Actions\n\n                    If an observation or finding is evaluated as a high risk, there is a strong need\n                    for corrective measures. An existing system may continue to operate, but a\nHigh                corrective action plan must be put in place as soon as possible.\n                    If an observation is rated as medium risk, corrective actions are needed and\n                    a plan must be developed to incorporate these actions within a reasonable\nMedium              period of time.\n                    If an observation is described as low risk, the system\xe2\x80\x99s designated approving\n                    authority must determine whether corrective actions are still required or\nLow                 decide to accept the risk.\n\n\n\n\nPenetration Test of the Indian Health Service\xe2\x80\x99s Computer Network (A-18-13-30330)                       5\n\x0c'